Online Banking Alert - CIO Version

January 14, 2010To: CIOs and Business Officers,

We want to raise awareness, but not alarm, to an electronic crime threat targeting institutional/commercial online banking activities. Two of the most successful criminal operations (and the respective malware) are known as Clampi and Zeus. The operations have been in place for over a year, and have proven to be successful, difficult to stop, and damaging. A public school district in Pennsylvania lost $700,000 in a two-day attack. A county government in Kentucky lost $415,000. A New York school district, $3MM of which .5MM remained unrecovered as of 6-Jan. [1][2]

Persons who conduct institutional/commercial online banking operations are being specifically targeted by the criminals.

Standard desktop computer antivirus is not an effective defense because the attackers constantly morph the attacks to evade antivirus signatures. Network defenses such as firewalls and intrusion detection systems are similarly ineffective. Some attacks have successfully defeated two-factor
authentication[3], although two-factor remains to be an effective defense against many other attacks.

We recommend the following actions:

=== Business Officers and CIO's ===

1. Make sure that your peer (BO or CIO) has a copy of this message.

2. Read the Internet Crime Complaint Center (IC3) message [4].

3. Make certain that systems used in performing financial transactions are protected by strict technical controls and receive periodic validation.

4. Make certain that personnel involved in performing online financial transactions have the necessary security awareness and training. Those persons should receive targeted training on phishing and this threat.

5. Make committed and purposeful use of banking transaction initiator/approver roles. Most banks offer sophisticated role-based controls, but it's up to the institution to put them to effective use.

6. Have written policies defining the controlled environment in which online banking transactions can be conducted, e.g. what systems can be used, how they must be maintained, required personnel training, etc.

7. Routinely audit compliance with established technical controls and policies.

8. WE STRONGLY RECOMMEND THAT all online banking operations should be conducted on special-use computers that are used SOLELY for banking transactions. No other use of the machine should be permitted - no e-mail, no web browsing, no general-purpose business use - nothing but
institutional online banking transactions.

How the attacks work: As described in an FBI release[5] "In a typical scenario, the targeted entity receives a 'spear phishing' e-mail which either contains an infected attachment, or directs the recipient to an infected website. Once the recipient opens the attachment or visits the website, malware is installed on their computer. The malware contains a key logger which will harvest each recipient's business or corporate bank account login information. Shortly thereafter, the perpetrator either creates another user account with the stolen login information or directly initiates funds transfers by masquerading as the legitimate user. These transfers have occurred as both traditional wire transfers and as ACH transfers."

We're sharing additional technical and policy information - aimed at security officers and teams - to the public EDUCAUSE Security mailing list, and within the private REN-ISAC [6] community.

The text of this message (along with clobber-free long URLs) is at:
http://www.ren-isac.net/alerts.html

A technical-audience version of this Alert is also located at that link.